On Mon, 10 Nov 2003 21:09:44 -0800 Todd Lyons <[EMAIL PROTECTED]> forwarded:
> reviewing the logs, I have seen a large number of GETs > in /var/log/httpd/*.log with verrrrrrrrrrrrry long > pathnames and/or requests to xxx.xxx.xxx:25. I think that > is how they got in. Not "in"; but "through"... I pointed this out to David in a private mail along with the below quick test for proxying... Seems that using ":25" is a twist that I hadn't seen; but then again, most of us have turned off proxying after this was raised here months ago... Part of my msg to David: > Hmmm... wonder if this is related to the www relaying that can happen > in an apache server... [testing your address...] port 80 is blocked... > is > this done by your ISP? The way to check for httpd relaying is simple: > telnet <IP> 80 > [connected messages] > GET http://some.remote.site HTTP/1.0<enter> > <enter> > > If the returned page is from some.remote.site, your server is an open > relay... I've seen this long ago and suspected people were using this > to bump hit-counters causing possible charges ($$) between target and > advertiser. Dunno if this could be used to relay mail; but would not be > surprised. It appears that adding ":25" was a pretty simple hack to abuse the apache proxying... yet another reason for everyone to verify that mod-proxy is disabled....
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
